HPE Community
Aruba & ProVision-based
1753964 Members
7587 Online
108811 Solutions
New Discussion юеВ

Spanning tree and loop prevention options

 
SOLVED
Go to solution
Gerry Klee
New Member

тАО08-26-2008 06:55 AM - last edited on тАО04-19-2015 11:50 PM by

тАО08-26-2008 06:55 AM - last edited on тАО04-19-2015 11:50 PM by

Spanning tree and loop prevention options

I have multiple 4200vl access switches and a 5300xl at the core and I'm running MSTP. I'd like to allow smaller switches to connect to the access ports if necessary but not participate in any form of STP.

Scenario 1:
Should I enable bpdu-filter with loop-protect on the access ports?

Scenario 2:
If I reconfigure access ports with "admin-edge-port" and setup bpdu-protection on those ports, would/could this prevent a managed switch running STP (or MSTP?) from working on an access port- even if there's no loop?

Does "admin-edge-port" work in conjunction with "bpdu-protection"?

 

 

 

P.S. this thread ahs been moevd from Switches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp Forum moderator

0 Kudos
7 REPLIES 7
Matt Hobbs
Honored Contributor

тАО08-26-2008 07:05 AM

тАО08-26-2008 07:05 AM

Solution

Re: Spanning tree and loop prevention options

That should be fine, (bpdu-filter + admin-edge-port + loop-protect).

Admin-edge-port just puts the port into forwarding immediately without going through the blocking stage of STP.

BPDU-protection will disable the port as soon as it receives a BPDU, so you probably don't want to use that.

One thing I've noticed with loop-protect is that you may want to set the interval down to 1 second to get the best results. If a loop is created on an external switch, and THEN it is plugged into a loop-protect port, with the default 5 second interval loop-protect might have a very difficult time in disabling that port.
Gerry Klee
New Member

тАО08-26-2008 07:15 AM

тАО08-26-2008 07:15 AM

Re: Spanning tree and loop prevention options

Excellent. Thanks for the reply.

Is there anything else you'd recommend?

It looks like I could also use "root-guard", but "loop-protect" looks like it might be simpler.
0 Kudos
Matt Hobbs
Honored Contributor

тАО08-27-2008 06:39 AM

тАО08-27-2008 06:39 AM

Re: Spanning tree and loop prevention options

Root-guard can be useful as can tcn-guard (not sure if the 4200 has that? need to be a bit careful with that one).

If you don't expect more than X amount of mac-addresses on a port, you could also set port-security to learn limited-continuous. It's an idea I've been toying with to hopefully overcome the loop-protect interval issue I mentioned in the last post. e.g. if more than 32 mac-addresses were detected on a port where you couldn't envision a reason for it (possibly a loop), disable the port.

I haven't properly thought that idea through though, still a work in progress.

For now I think admin-edge-port, bpdu-filter and loop-protect interval 1 is the safest bet.
Gerry Klee
New Member

тАО08-27-2008 07:43 AM

тАО08-27-2008 07:43 AM

Re: Spanning tree and loop prevention options

I think that's what I'll do. Thanks again for your help.
0 Kudos
alegall
New Member

тАО10-21-2009 12:32 AM

тАО10-21-2009 12:32 AM

Re: Spanning tree and loop prevention options

Hi,

I tested Loop-Protect on a 2610, and I've noticed something :
The loop-protection functionnality works fine when Spanning-Tree is disabled, but when I enable it, the Loop-Protection didn't work.
The port stays in a Forwarding State. Even if I plug a another device with a loop on it.

I put the following parameters :
spanning-tree
loop-protect 1-12
loop-protect transmit-interval 1 disable-timer 10

Is it normal or is there something special to do ?

My firmware version is a R.11.25.

Thanks for your help.


0 Kudos
Aaron_Jones
New Member

тАО08-15-2011 10:01 AM

тАО08-15-2011 10:01 AM

Re: Spanning tree and loop prevention options

Hi

although this is an old post the information is still relevant.

I have also found that the above configuration of alegall will not disable the port but will only put the port into a "blocking" state when using STP and loop-rotect at the same time.

The only settings that appeared to work for me we as follows:

HP Procurve 2810

loop-protect 1-44
loop-protect transmit-interval 2 disable-timer 5
spanning-tree
spanning-tree 1-44 admin-edge-port
spanning-tree 1-44 bpdu-filter
no spanning-tree 1-44 auto-edge-port

This config works to disable the ports that have loops detected on them as if they were end user devices etc... and the uplink ports 45-48 are still enabled in the STP protocol.

I hope this helps others as i have spent hours reading these forums for this answer.
0 Kudos
Tyrona-Networks
New Member

тАО04-16-2015 03:08 PM

тАО04-16-2015 03:08 PM

Re: Spanning tree and loop prevention options

 

One of the main purposes of Loop Proteccion  protocol  is to prevent loops on  edge ports conected to unmanaged SWs that don't  transmit  BPDU packets - these SWs drop BPDU packets.  If we  have Loop Proteccion and Spanning T activated at the same time on not uplinks ports and we plug a manged SW that handle BPDUs  in one of these ports, Spanning tree will take precedende (According to my experience), but in theory I think it will depend on how we play with BPDU/Loop-Proteccion packets  retransmision time.   In both scenarios  we will get as  result a port Blocked  or turned off which will resolve our issue.

 

-  consider that having    "loop-protec disable-timer 0"  ( Default ) will force us to enable the trouble port manually, but with Spanning T, it will depend on reconvergence.

 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.